The threat actors behind the RomCom malware, known for extorting government agencies, recently resurfaced with a new RomCom variant called “Snipbot” or “RomCom 5.0” by Palo Alto Networks Unit 42.

RomCom was first detected in 2022 when threat actors used fake online tools mimicking SolarWinds, Advanced IP Scanner, PDF Reader Pro, and other popular software to trick users into downloading and installing the malware. Back then, WhoisXML API researchers analyzed related threat IoCs and found several potential artifacts.

The malware has much evolved since then. Snipbot is stealthier than earlier versions, although it is based on RomCom 3.0 and uses techniques utilized by RomCom 4.0. It leverages initial downloaders with valid code signing certificates, making target systems think the downloaders are from trusted sources and effectively bypassing security controls. The threat actors can then execute commands and download more modules that aim to steal data.

Our researchers sought to compare the IoCs of the three most recent RomCom versions and pivot off these indicators to uncover relevant threat artifacts. Snipbot IoCs comprising 17 domains and one IP address were derived from Unit 42, while the IoCs of versions 3.0 (56 domains and two IP addresses) and 4.0 (nine domains) were published by Trend Micro in 2023. The analysis led to the discovery of:

• 20 email-connected domains, some were found to be malicious
• 27 additional IP addresses, all of which were found to be malicious
• 122 IP-connected domains, some were found to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Comparative IoC Analysis of the Different RomCom Versions

We performed separate bulk WHOIS lookups for each list to compare the IoCs of the three RomCom versions. We excluded domain IoCs that did not have current WHOIS data from our analysis. We were left with 42 of the 56 RomCom 3.0 IoCs, three of the nine RomCom 4.0 IoCs, and two of the 17 Snipbot IoCs. Below are our findings for the remaining indicators.

• The RomCom 3.0 domain IoCs were spread across 12 registrars, as seen in the chart below. However, the 4.0 and Snipbot IoCs were administered by only a few registrars, some of which overlapped. For instance, Tucows Domains, Inc. accounted for two RomCom 4.0 and 11 Snipbot IoCs, while NameSilo LLC was the registrar of two RomCom 4.0 and four Snipbot IoCs.

  

• Four Snipbot domain IoCs were registered in the last quarter of 2023, but they were not detected in any incident until February 2024. A similar pattern can be seen for the 3.0 and 4.0 domain IoCs. Some were registered in 2022 but weren’t detected until 2023.

  

• Only two registrant countries were consistent across the domain IoCs in the different RomCom versions. Nine from version 3.0, three from version 4.0, and six from Snipbot were registered in the U.S. Two domain IoCs from RomCom 3.0 and one from 4.0 were registered in Iceland. The IoCs of the newest version were primarily registered in Saint Kitts and Nevis.

  

Next, we ran a bulk IP geolocation lookup for the three IP addresses identified as IoCs (one for Snipbot and two for RomCom 3.0) and found that:

• The Snipbot IoC originated from the Netherlands, while the RomCom 3.0 IoCs were geolocated in Germany and Finland. A closer look at these three geolocations revealed that they were concentrated in somewhat nearby countries.



• The three IP IoCs had different ISPs. The two RomCom 3.0 IoCs were administered by Aeza and OVHcloud, while the Snipbot IoC did not have an ISP on record though its Autonomous System (AS) name was LIMENET.

Uncovering Potential RomCom Threat Artifacts

The IoC list expansion for all three RomCom versions was performed on 82 domain IoCs, which we queried on WHOIS History API. The results showed they had 155 email addresses in their historical WHOIS records, 31 of which were public.

We queried the 31 public email addresses on Reverse WHOIS API and found 20 email-connected domains after removing duplicates and the IoCs. According to Threat Intelligence Lookup, one of these artifacts was involved in a malware attack.

The next step in our threat-hunting efforts was to run the 82 domain IoCs on DNS Lookup to find their IP resolutions. We found that 57 did not have active resolutions, while the remaining 25 resolved to 27 unique IP addresses, which were not on the original IoC list. Threat Intelligence Lookup revealed that all of them were associated with various threats. Some examples are shown below.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.